<html>
<head><meta charset="utf-8"><title>unsafe-fn · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html">unsafe-fn</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="175715193"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715193" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715193">(Sep 14 2019 at 19:39)</a>:</h4>
<p>Is there a good reference on "when your <code>fn</code> should be <code>unsafe fn</code>"? Brought to you by <a href="https://github.com/signalapp/ringrtc/issues/1" target="_blank" title="https://github.com/signalapp/ringrtc/issues/1">https://github.com/signalapp/ringrtc/issues/1</a></p>



<a name="175715465"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715465" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715465">(Sep 14 2019 at 19:47)</a>:</h4>
<p>It's somewhat of a topic of unknown: if I have a private function that should be unsafe (i.e., it can cause UB if called incorrectly), must it be unsafe?</p>



<a name="175715515"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715515" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715515">(Sep 14 2019 at 19:48)</a>:</h4>
<p>I believe for the current compiler (though it's not documented/specified, etc.) it's true that adding/removing <code>unsafe</code> means nothing, it's essentially "just" a lint, but I think I've seen some discussion that we might want to change that</p>



<a name="175715581"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715581" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715581">(Sep 14 2019 at 19:50)</a>:</h4>
<p>That matches my understand, that the compiler has no knowledge of <code>unsafe</code>, except that you may perform <code>unsafe</code> operations only in <code>unsafe</code> contexts.</p>
<p>From an auditability perspective, making <code>unsafe</code> operations as safe is catastrophic though.</p>



<a name="175715602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715602">(Sep 14 2019 at 19:51)</a>:</h4>
<p>I'm not sure I'd go that far -- one example that I've found interesting in the past is <a href="https://github.com/dtolnay/erased-serde/blob/master/src/any.rs#L16-L20" target="_blank" title="https://github.com/dtolnay/erased-serde/blob/master/src/any.rs#L16-L20">https://github.com/dtolnay/erased-serde/blob/master/src/any.rs#L16-L20</a></p>



<a name="175715649"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715649" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715649">(Sep 14 2019 at 19:52)</a>:</h4>
<p>In this case essentially this is saying that the whole crate must be audited just as much whether these are unsafe or not due to how their unsafety is specified</p>



<a name="175715653"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715653" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715653">(Sep 14 2019 at 19:52)</a>:</h4>
<p>so in some sense, adding that unsafe wouldn't be all that helpful</p>



<a name="175715659"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175715659" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175715659">(Sep 14 2019 at 19:53)</a>:</h4>
<p>though it does in some sense hurt the ability of e.g. cargo-crev to say "oh, this whole crate has unsafe everywhere"</p>



<a name="175758561"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175758561" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175758561">(Sep 15 2019 at 17:41)</a>:</h4>
<p><code>unsafe</code> is a marker that you need to manually uphold some invariants before calling this function. This is largely a human-oriented annotation, there is very little tooling that actually uses it. It is mostly a speedbump and a persistent marker to think about what you feed to this function.</p>



<a name="175758577"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175758577" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175758577">(Sep 15 2019 at 17:41)</a>:</h4>
<p>I have myself created a tool that expects safe functions to never cause UB. The tool is geared towards detecting functions that break this contract, i.e. can cause UB or exploitable security vulnerability by using only safe code.</p>



<a name="175758635"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175758635" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175758635">(Sep 15 2019 at 17:43)</a>:</h4>
<p>I'd argue that Rust with unsafe functions exposed as safe is basically the same as C code. There are no markers on what's safe and what's not and no automation enforcing that, so you're back to the C situation of constant vigilance, which humans are incapable of.</p>



<a name="175758949"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175758949" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175758949">(Sep 15 2019 at 17:51)</a>:</h4>
<p>I basically agree with that -- you should be able to know that if you didn't type <code>unsafe</code>, you didn't introduce memory unsafety</p>



<a name="175764335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175764335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175764335">(Sep 15 2019 at 20:19)</a>:</h4>
<p>I think to an extent this gets back to the notion of having "unsafe modules" or some such (i.e., what is the scope of unsafe)</p>



<a name="175764345"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/175764345" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#175764345">(Sep 15 2019 at 20:19)</a>:</h4>
<p>in erased-serde's case I feel like it's essentially the entire crate that needs to be audited anyway so I sort of agree that marking the functions as unsafe would be unhelpful</p>



<a name="176021231"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/unsafe-fn/near/176021231" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/unsafe-fn.html#176021231">(Sep 18 2019 at 16:29)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> so far the only places I've used <code>unsafe fn</code> are where they're tied to <code>target_feature</code>s (which requires them) or for FFI externs</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>